modiloader | 3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600

General

Target

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
Size

588KB
MD5

7399b04ed244435c4d082b45a95c3ee7
SHA1

255fe7bb5c55c9751d2f6a6c09db14c4cd091676
SHA256

3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600
SHA512

a0baad8992538bb8f828d88f425efb53a9979de23d0417ee0bbd060189daa2c015b90472ca431036bb860826df5e3e5bcbd0ac86dd2d0fcb21b0fde9fdfa501f
SSDEEP

12288:CV2B6B7wwpuKO9vPYPN+Hb2aSkmIF3Z4mxxl+utJ2An+f0m6:CUBYBshHq+7W6QmXl/w9fi

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2292-42-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral1/memory/1792-55-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral1/memory/1792-66-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral1/memory/2292-67-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2632 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rejoice47.exe

pid process

1792 rejoice47.exe
Loads dropped DLL 2 IoCs

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

pid process

2292 7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
2292 7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

pid	process
2632	cmd.exe

pid	process
1792	rejoice47.exe

pid	process
2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice47.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice47.exe

description pid process target process

PID 1792 set thread context of 3068 1792 rejoice47.exe calc.exe

description	pid	process	target process
PID 1792 set thread context of 3068	1792	rejoice47.exe	calc.exe

Drops file in Program Files directory 2 IoCs

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exerejoice47.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exerejoice47.exe

description	pid	process	target process
PID 2292 wrote to memory of 1792	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 2292 wrote to memory of 1792	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 2292 wrote to memory of 1792	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 2292 wrote to memory of 1792	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 1792 wrote to memory of 3068	1792	rejoice47.exe	calc.exe
PID 2292 wrote to memory of 2632	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 2632	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 2632	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 2632	2292	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe"
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2632

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice47.exe
Filesize
588KB

MD5
7399b04ed244435c4d082b45a95c3ee7

SHA1
255fe7bb5c55c9751d2f6a6c09db14c4cd091676

SHA256
3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600

SHA512
a0baad8992538bb8f828d88f425efb53a9979de23d0417ee0bbd060189daa2c015b90472ca431036bb860826df5e3e5bcbd0ac86dd2d0fcb21b0fde9fdfa501f

Download Submit
memory/1792-54-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/1792-55-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/1792-66-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-22-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-38-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-14-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-41-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2292-40-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-39-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-19-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-37-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-34-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-32-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-31-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-30-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-29-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-28-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-27-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-26-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-25-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-20-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-23-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-0-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-21-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-24-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000001F30000-0x0000000001F84000-memory.dmp

Filesize
336KB

Download
memory/2292-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-16-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2292-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-13-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-12-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-11-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-10-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2292-9-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2292-8-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2292-6-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2292-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2292-4-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2292-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2292-42-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-52-0x00000000043D0000-0x000000000452D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-51-0x00000000043D0000-0x000000000452D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-68-0x0000000001F30000-0x0000000001F84000-memory.dmp

Filesize
336KB

Download
memory/2292-67-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3068-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-62-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads